I'm wondering whether someone might review my LDAP configuration at a high level and let me know what I'm doing wrong.
In EEM 8.4, I have a secure LDAP connection set up to a single AD Domain. I started with a good plaintext connection, changed the port to 636, added a .pem that my AD guys generated from Microsoft Certificate Server, and modified iPoz.conf, setting ExternalDirSSL to true and setting ExternalDirCACertPath to the path to my .pem file.
EEM 11.3.6 has changed all this. They've made it easier (in theory) by removing the need for a text editor, but unfortunately I can't seem to figure out what's required.
I tested my plaintext LDAP connection successfully, verifying the userid.
I copied the .pem file to ..Program Files (x86)\CA\SC\iTechnology\. This is the same .pem file I'm using successfully in 8.4.
I changed the port to 636.
I changed the protocol from LDAP to LDAPS.
I added the path to the .pem file in the CA Certificate Path field.
I hit Save.
Just to be safe, I bounced the CA Directory - itechnology and CA iTechnology services. No improvement.
I tried changing the protocol to LDAP+TLS, to no avail.
I tried changing the path from C:\Program Files (x86)\CA\SC\iTechnology\myfile.pem to simply myfile.pem. Nope.
I am leaving the Certificate and Certificate Key path fields blank since they weren't required in 8.4. The docs seem to suggest that they're only needed for unusual key lengths or if you're using a PKCS container.
The only thing that *does* work is if I leave all three fields blank, but I'm pretty sure that's not what I want to do. We came across an Active Directory 2012 bug when we were working through this in 8.4 that causes the Domain Controller to crash when you use certificate-less secure LDAP.
Any advice appreciated.
Please have a look at this new techdoc written explaining the certificate fields in EEM R12.
In order to troubleshoot the connection at a deeper level, you will need to enable the caldap.log present in EIAM_HOME\config\logger\server.xml
<!-- caldap logger only uses debug and trace level -->
<!-- changes to caldap logging requires restart of the server -->
<logger name="caldap" additivity="false">
<!-- <level value="info"/> -->
<appender-ref ref="caldap" />
YES! These explanations are much more helpful than what's in the implementation guide.